The Shibboleth IdP V4 software will leave support on September 1, 2024.


Current File(s): conf/authn/password-authn-config.xml
Format: Native Spring


This CredentialValidator back-end for the password authentication login flow allows the use of username/password flat files produced by the Apache Web Server htpasswd utility. It is primarily for testing and demonstration scenarios.

The implementation supports all of the non-plaintext formats supported by the utility, though only the salted MD5 variant is considered (reasonably) secure.

General Configuration

Using this back-end requires defining a validator based on shibboleth.HTPasswdCredentialValidator in the shibboleth.authn.Password.Validators bean.

In the simple case of a single back-end:

Defining use of htpasswd file in password-authn-config.xml
<util:list id="shibboleth.authn.Password.Validators"> <bean parent="shibboleth.HTPasswdCredentialValidator" p:resource="%{idp.home}/conf/authn/htpasswd.txt" /> </util:list>

Refer to the HTPasswdCredentialValidator javadoc for a complete summary of options.

If the supplied resource is a file, the software will monitor the file for changes and reload it automatically. If the resource is not a file, the records are loaded only at startup.